[Openstack-operators] glance directory traversal bug and havana

Jesse Keating jlk at bluebox.net
Wed Jan 7 23:07:34 UTC 2015


On 1/6/15 10:31 AM, Jesse Keating wrote:
> Hopefully all of you have seen http://seclists.org/oss-sec/2015/q1/64
> which is the glance v2 api directory traversal bug. Upstream has fixed
> master (kilo) and juno, but havana has not been fixed.
>
> We, unfortunately, have a few havana installs out there and we'd like to
> patch this ahead of our planned upgrade to Juno. I'm curious if anybody
> else out there is in the same situation and is working on backporting
> the glance patch. If not, I'll share the patch when I'm done, but if so
> I'd love to share in the work and help the effort.
>
> Cheers, and happy patching!
>

No responses, but I was able to do the backport. I've tested manually 
and without the patch I could coax glance into delivering files from the 
filesystem to me, and with the patch it will not do that. I can still 
add a location for the allowed schemes, such as http scheme, so this all 
seems good.

https://github.com/blueboxgroup/glance/commit/7ab98b72802de1d5695d35306e32293463977496

-- 
-jlk



More information about the OpenStack-operators mailing list